We use cookies to customise content for your subscription and for analytics.If you continue to browse Lexology, we will assume that you are happy to receive all our cookies. For further information please read our Cookie Policy.

Amendments to the Personal Data Protection Act Will Take Effect on 15 March 2016

On February 25, 2016, the Executive Yuan decided that the amendments to the Personal Data Protection Act (PDPA), promulgated on December 30, 2015, shall take effect on March 15, 2016. It was the first time the PDPA has been amended since October 1, 2012. Articles 6 and 54 of the PDPA, the two articles regarding which the effective dates had originally been suspended since October 2012 due to public concerns, will come into force on the effective date of the amendments in the amended context. In addition, the requirement of obtaining "written consent" in certain situations will be replaced by simply requiring "consent." As was stated in our earlier newsletter, issued on January 5, 2016, the main points of the amendments are as follows:

Classifying medical records as sensitive personal data, and adding "where a written consent from the data subject has been obtained" to the grounds for legitimate processing of sensitive personal data:

Formerly, medical records were classified as general personal data, while personal data concerning medical treatment and health examination were classified as sensitive personal data. However, it is very difficult to differentiate these two types of personal data which will likely cause confusion. Under the amendments, medical records have been classified into sensitive personal data to alleviate the above uncertainty and concern. In addition, there are two new grounds for legitimate collecting, processing, and use of sensitive data; one is: "when it is necessary for assisting a government agency in performing its duties or a non-government agency in fulfilling a legal obligation, and when there are proper security measures in advance or afterwards" and the other is: "where written consent of the data subject has been obtained", which will make Article 6 more practical.

Partially expanding the grounds for legitimate collecting, processing and use of personal data:

The legitimate ground to collect, process, and use personal data, i.e., "where the written consent of a data subject has been obtained", has been replaced with the term "where the consent of a data subject has been obtained", except when dealing with sensitive personal data. Therefore, written consent is not necessary anymore, as long as one has consent. According to the amendments, if the data collector has specifically notified the data subject of the matters required to be notified, and the data subject does not object and provide his/her personal data to the data collector, the consent of the data subject shall be deemed as having been obtained. Meanwhile, the amendment specifies that it would be the data collector's burden to prove that consent of the data subject has been given. It can be anticipated that there will be a variety of formats of consent after the amendments take effect.

In addition, for the purpose of aligning the grounds for legitimate collection, processing, and use of personal data between government agencies and non-government agencies, the amendments added "the rights and interests of the data subject may not be harmed" to one of the grounds for legitimate collection, processing and use of personal data under Article 19 of the PDPA, and also added "where such use may benefit the data subject" to one of the grounds for legitimate use of personal data outside the scope of the specific purpose of collection provided under Article 20 of the PDPA.

Notification

Article 54 of the PDPA previously required that data owners had to notify data subjects within one year following October 1, 2012, if the data owners had obtained the data subjects’ personal data indirectly prior to October 1, 2012. However, considering that certain industries that own a large quantity of personal data are not capable of meeting the notification requirement within the one-year period, the Executive Yuan has left the enforcement of Article 54 in abeyance. In the amendments, Article 54 has been amended so that data owners must perform the notification obligations no later than the first time they use such personal data to contact the data subjects after the new Article 54 becomes effective.

Criminal sanctions

For the purpose of lightening strict penalties, the sanctions for criminal offenses under Article 41 of the PDPA which are committed without intention of making profit have been repealed.

It has been three years since the PDPA came into force on 1 October 2012. In fact, the amendments have resolved many disputes. In response to the amendments, your company may review the documents which were prepared for the purpose of complying with the PDPA and re-examine the operating procedures.

Related topic hubs

Compare jurisdictions: Data Security & Cybercrime

"Generally, this service is wonderful. I find that the employment law newsfeeds are extremely helpful and relevant. The quality of the articles is usually quite good. The website provides an avenue for quick research regarding various employment law issues."